Monday, May 4, 2009

Restrict individual user to home directory only

Restrict individual user to home directory only
Asked by cscorbet in Unix Network Security
Tags: restrict, home, directory, user
Hi, I have a FreeBSD box, with a small number of users, I would like to restrict individual user to their home directory only. Can anyone help?

prasadklk:Set the restricted shell for that user.
See this doc:

01/27/03 11:45 AM, ID: 7824677

cscorbet:I would like users to change directory within the users home directory.

Restricted Shell doesnt allow this ?

"28.10.1 Restricted Shell
Restricted shells allow you to control the user's environment. The restricted shell, rsh, allows the user to do everything allowed by sh, except:

change directory".

01/27/03 12:14 PM, ID: 7824894

prasadklk:Yes,That is right.. restricted shell does not allow user to change the directory,...
If it is any other shell, user can see all the files and directories wherever he has read and execute permission.
I don't think there is a way to restrict a user to home directory and allow him to see all the sub directories without changing the permissions of other directories which is not so practical.

01/28/03 02:12 AM, ID: 7828617

liddler:I don't know if it can be applied to login, but chroot is used with ftp to restict users to a directory tree.

01/28/03 04:01 AM, ID: 7829046

ahoffmann:write a small wrapper, like

/usr/bin/chroot ~ /bin/sh && exit 0

use this wrapper as shell in your passwd
(needs to be more tricky if you'd like to allow sevaral shells)

01/28/03 07:46 AM, ID: 7830467

chris_calabrese:Agreed. restricted shell is not restrictive enough. Use chroot. Or better yet, use User Mode Linux (no, it's not available for FreeBSD) where you can give each user their own virtual machine.

01/31/03 07:38 AM, ID: 7853829

/usr/bin/chroot ~ /bin/sh && exit 0"

this did not work. Operation not permitted.

01/31/03 11:13 AM, ID: 7855328

chris_calabrese:The program needs to be SUID root for chroot to work.
Something more like:

cd "$HOME" || exit 1
/usr/bin/chroot "$HOME" su - "`logname`"

02/01/03 10:38 AM, ID: 7859966

cscorbet:can you give me more information pls

02/03/03 01:25 PM, ID: 7870392

ahoffmann:ok, the file(described above) needs to have permissions as follows:
chown root:root file
chmod 6555 file

BTW, keep in mind that $HOME might be different from ~

02/03/03 02:43 PM, ID: 7870885

cscorbet:can u tell me what this bit is all about please? "`logname`"


02/04/03 01:23 AM, ID: 7873762

liddler:logname is a command that returns the name of the user that logged. It is surrounded by single back quotes (``) which tell the script to execute that command and return the result to the script

02/22/03 02:43 PM, ID: 8000319

jimbb:Many platforms won't honor the SUID bit on an interpreted (#!) script. I don't think FreeBSD will, so those solutions may not work.

Anyway you may be able to fulfill this with a restricted shell, as others have pointed out.

Make sure you control the $PATH variable for that shell, though, otherwise they can just execute another shell and escape the restricted directory. Other caveats may apply as well.

05/03/03 11:58 PM, ID: 8453648

Droby10:as suggested, a chroot shell wrapper is a nice solution. there are some caveats to doing so. you will want to copy /bin, /dev/, and /lib, and /usr/lib into the user's home directory ...but only those executables, devices, and libraries that you wish to grant access to...

you will run into some issues. for instance, without creating another swap partition proc under the users home, ps won't work. df, which relies on /dev entries will also fail. who (relies on /var/utmp). so you will need to collect a dependency list for each allowed command and copy those dependencies into the users home in a way that a chroot will result in the same path as before. ie. /usr/home/droby10/usr/bin/perl

also be careful about which devices you copy in, copied terminal devices with unchanged permissions (as normally occurs through getty) will allow read/write access...don't even copy mem or kmem (forget which is present in bsd).

as opposed to using a shell wrapper, you might try to modify login to perform the chroot before initializing the user shell. (again, the shell would have to be copied into the user's home to be effectively called after the chroot occurs).

05/04/03 12:00 AM, ID: 8453650

Droby10:forgot to mention that the results of copying some of those dependencies won't be who from a stale utmp database would only reflect the entries present when it was copied.

05/20/03 07:25 AM, ID: 8550878

mlafortune:I don't know which version of FreeBSD you have, but later versions offer a nice feature called jail. You create a virtual environment (you can call it a virtual machine) and it allow you to chroot you user. The first jail might be a little long to setup as you have to "make world" but once it's done, you can just copy that "environment" to the next user. One warning, you will need a lot of disk space.

on FreeBSD 4.6R
> man jail

jail - imprison process and its descendants

jail path hostname ip-number command ...

The jail command imprisons a process and all future descendants.

Please see the jail(2) man page for further details.

No comments: